RECORD OF PROCESSING ACTIVITIES

Your Article 30 register,
kept current by your work.

Most organisations that process personal data in the EU must keep a Record of Processing Activities under GDPR Article 30. Compass builds yours automatically from the processing your workspace actually records — and marks every field by how it is backed.

← The Compass engineLive in Dekimu Hub · Pro feature

WHO NEEDS ONE

Article 30 requires a written record of your processing activities. The under-250-employee exemption is narrow — it falls away the moment processing is regular, touches special-category data, or is not occasional, which covers most active businesses. When a supervisory authority asks, the register is the first document they request.

WHAT ARTICLE 30 ASKS FOR

For each processing activity the register captures the fields the regulation names. Compass fills them from what your workspace knows.

CONTROLLER

Who you are — entity, registered address, contact, and the data-protection contact.

PURPOSE

Why each activity processes personal data.

CATEGORIES OF DATA SUBJECTS

Whose data it is — clients, employees, prospects.

CATEGORIES OF PERSONAL DATA

What is processed — contact details, financial data, and any special categories.

RECIPIENTS

Who the data is disclosed to.

THIRD-COUNTRY TRANSFERS

Any transfer outside the EEA, and the safeguard relied on.

RETENTION

How long each category is kept before it is erased.

EVERY FIELD CARRIES ITS PROVENANCE

The register is a provenanced projection, not a fill-in form. Each field is marked so you and an auditor can tell apart what is proven, what is asserted, and what is missing.

Evidence

Backed by a verifiable receipt your workspace minted — for example a recorded retention period or a completed erasure.

Asserted

Drawn from information you provided. True if your input is true.

Gap

Required by Article 30 but not yet recorded. The register flags it instead of inventing it.

EXPORT THAT TRAVELS

Produce the register on demand in the format the moment calls for — to read, to file, or to hand over with proof attached.

MarkdownA clean, human-readable register for review or your records.
JSONThe structured register for tooling or a DPO platform.
Signed receiptA ropa.register.v1 receipt, signed with your workspace key, so the version you exported can be verified later as exactly what Compass produced on that date.

YOUR RESPONSIBILITY

This register is generated from the information you provided and the activity recorded in your workspace. You own the accuracy and completeness of the entries. A ✓ marks an entry backed by a verifiable receipt; a • marks information you asserted; a ⚠ marks an entry you still need to complete. It covers the processing your Hub workspace records, not processing that happens elsewhere — and it is not legal advice. Legal review is recommended.

FAQ

What is a Record of Processing Activities (RoPA)?

A Record of Processing Activities is the written inventory of how an organisation processes personal data, required by Article 30 of the GDPR. It lists, for each activity, the purpose, the categories of people and data, recipients, any third-country transfers, and retention periods.

Who has to keep a RoPA under GDPR?

Most controllers and processors in the EU. The exemption for organisations under 250 employees is narrow — it does not apply where processing is regular, is likely to risk people's rights, or involves special categories of data, which describes most active businesses.

How does Compass build the register automatically?

Compass reads the processing your Dekimu Hub workspace already records and maps it onto the Article 30 fields. It marks each field as backed by a verifiable receipt, asserted from your input, or an open gap — so the register reflects your real activity rather than a blank template.

Can I export the register for an auditor or regulator?

Yes. The register exports as human-readable Markdown, as structured JSON, or as a signed ropa.register.v1 receipt that lets the exported version be independently verified later as exactly what Compass produced on that date.

Does an automated RoPA make me compliant?

No. The register is a working document that reflects what your workspace has recorded. You own the accuracy and completeness of the entries, it covers only the processing recorded in your workspace, and it is not legal advice. Legal review is recommended.

Where do I find it?

RoPA is part of Compass inside Dekimu Hub at app.dekimu.com, a Pro feature. This page is a public explainer; the live register is in the gated dashboard.

REFERENCES

RoPA is a compliance-management tool, not a law firm. It does not provide legal advice and does not certify compliance. The register reflects the information and activity recorded in your workspace; you remain responsible for its accuracy and completeness.